An increase in malicious attacks on networks gives rise to various challenges to ensure secure and effective communication between devices in a network. With increase in the number of devices and access points on the network, comprehensive security strategies now require defense-in-depth, with security layered across the network, the server, and the endpoints. Typically, intrusion prevention systems can be employed to monitor a network for malicious or unwanted activity and can react, in real-time, to block, deny or prevent those activities.
Intrusion prevention systems, typically, network based or host based, employ automatically generated signatures to detect malicious attacks. Generally, conventional systems automatically generate anti-malware signatures by employing threat detection engines driven by built-in assumptions to trigger auto-generation of signatures.
Conventional detection methods can provide several tunable numeric variables, for example, allowing one to specify network flow types and pattern prevalence measures to generate its invariants (signatures), and/or employing dynamic dataflow analysis and non-executable pages, and/or intercepting memory violations. Thus, the conventional methods for threat detection tend to be built into the product or tunable with parameter sets.
Traditional systems, however, face two main obstacles during malware detection, namely, false positives and the lack of fidelity metrics for signatures. Users do not have control during signature generation and if a signature is generated badly, it can match legitimate traffic leading to errors and corrupted data. Automatic generation of signatures is fraught with false positives to a much greater extent than manual generation of signatures. However, manual generation or a manual check after automatic generation of signatures is unreliable, prone to human errors and time consuming. Furthermore, conventional systems that provide automatic generation of signatures fail to provide a measure of confidence for a signature and cannot enable deployment based on the confidence.
A related problem is denial-of-service attacks with highly polymorphic code where the purpose of the attacker is either to crash the system, or to guess a vulnerable address to exploit. In this case, conventional security systems are unable to generate a signature to stop all possible malicious payloads. They fail to identify a vulnerable interface and restrict/control access to it, while still providing full service on other interfaces. The problems associated with malware detection by automatic signature generation have potentially catastrophic effects that can inflict substantial losses on an organization or individual.